Lecture 7. Public Key Cryptography (Diffie-Hellman and RSA)

Size: px

Start display at page:

Download "Lecture 7. Public Key Cryptography (Diffie-Hellman and RSA)"

Dortha Lloyd
5 years ago
Views:

1 Lectue 7 Pulic Key Cytogahy (Diffie-Hellman and RSA) 1

2 Pulic Key Cytogahy Asymmetic cytogahy Invented in (Diffie-Hellman and Rivest-Shami- Adleman) Two keys: ivate (SK), ulic (PK) Encytion: with ulic key; Decytion: with ivate key Digital Signatues: Signing y ivate key; Veification y ulic key. i.e., encyt message digest/hash -- h(m) -- with ivate key Authoshi (authentication) Integity: Simila to MAC Non-eudiation: can t do with secet key cytogahy Much slowe than conventional cytogahy Often used togethe with conventional cytogahy, e.g., to encyt session keys 2

3 Pulic Key Cytogahy Bo s ulic key PK B Bo s ivate key SK B laintext message, m encytion algoithm cihetext PK (m) B decytion algoithm laintext message m SK (PK (m)) B B 3

4 Key Pe-distiution: Diffie-Hellman New Diections in Cytogahy 1976 System wide aametes : lage ime, a geneato in Z Alice's secet: v, ulic: Bo's secet: w, ulic: Alice has: Bo has: * v y a a w y a w y a v y a v K ( y ) a w K ( y ) a a a 4

5 Pulic Key Pe-distiution: Diffie-Hellman Alice comutes K a Secue communication Bo comutes K a K a with K a Eve knows:, a, y a and y 5

6 Pulic Key Pe-distiution: Diffie-Hellman Diffie Hellman Polem: lage ime, a geneato in Z Given : v w y a and y a a vw FIND : a * Discete Log Polem: Given : v y a a FIND : v 6

7 Pulic Key Pe-distiution: Diffie-Hellman Decision DH Polem: lage ime, a geneato Given : v w y a, y a a Distinguish : vw K a a fom a andom nume! DH Assumtion: DH olem is HARD (not P) DL Assumtion: DL olem is HARD (not P) DDH Assumtion: solving DDH olem is HARD (not P) 7

8 Choose andom v Inteactive (Pulic) Key Exchange: Diffie-Hellman y a a v Comute v K ( y ) a y w a Choose Secue communication andom w, Comute K a ( y a ) w with K a Eve is assive 8

9 The Man-in-the-Middle (MitM) Attack (assume Eve is an active advesay!) Choose andom v y a a v Comute v K ( y ) a y a w Secue communication with Ka Choose andom w, Comute K a ( y a ) w 9

10 RSA (1976-8) Let n q whee,q lage imes e,d R Z n and ed 1 Φ(n) whee : Φ(n) ( 1)(q 1) q q 1 Secets :,q,d Pulics : n,e Encytion : message m < n E(x) y m e n Decytion : cihetext y D( y) x' y d n 10

11 Why does it all wok? x Z n * x ed x 1Φ(n) n x c*φ(n)+1 n x But, ecall that: g Φ(n) 1 n (Lagange) 11

12 How does it all wok? Examle: 5 q7 n35 (-1)(q-1)243*2 3 ick e11, d11 x2, E(x) y y18, D(y) e Examle: 17 q13 n221 (-1)(q-1) *2 ick e5, d77 Can we ick 16? 9? 27? 185? x5, E(x) D(y) e

13 Why is it Secue? Conjectue: eaking RSA is olynomially equivalent to factoing n. Recall that n is vey, vey lage! Why: n has unique factos, q Given and q, comuting (-1)(q-1) is easy: ed 1 Φ( n) Use extended Euclidian! 13

14 Exonentiation Costs Intege multilication -- O( 2 ) whee is itsize of ase m Modula eduction -- O( 2 ) Thus, ula multilication -- O( 2 ) Modula exonentiation -- m e n Naïve method: e-1 ula oducts -- O( 2 *e) BUT what if e is lage, (almost) as lage as n? Let L e (e.g., L1024 fo 1024-it RSA exonent) We can assume and L ae close Squae-and-multily method woks in O( 3 ) time O( 2 *2L) 14

15 Squae-and-Multily goal : comute l sizeof ( n); tem 1; fo ( i l 1; i > 0; i ) { tem* tem; tem % n; if ( e[i] ) { tem* m m; tem% n; } } e n Fom left to ight in e Examle 1: e100 Examle 2: e Examle 3: e

16 Seeding u RSA Decytion Let : C - RSA cihetext d d ( 1) d d ( q 1) q comute: M C q M C q q and solve: M M M M q d d q M [ M + M q ( q( q 1 1 ) q)]( q) 16

17 Moe on RSA Modulus n is unique e use à cannot shae n What haens if Alice and Bo shae the same ulus? Alice has (e,d,n) and Bo (e,d,n) Alice wants to comute d (Bo s ivate key) She knows that: e * d 1 hi(n) So: e * d k * hi(n) + 1 and: e * d - 1 k * hi(n) Alice just needs to comute invese of e X whee X e * d 1 k * hi(n) let s call this invese d and ememe that: d * e k * k * hi(n) + 1 can we e sue that: d d? Is it ossile that e has no invese X? Yes, if e hi(n) o gcd(e,k)>1 ut this is vey, vey UNLIKELY! Fo all decytion uoses, d is EQUIVALENT to d Suose Eve encyted fo Bo: C (m) e n Alice comutes: C d n m e d n (m) k * k * hi(n) + 1 n m 17

18 Lectue 8 Pulic Key Cytogahy: Encytion + Signatues 18

19 El Gamal PK Cytosystem (83) lage ime ase, imitive element, geneato x ivate exonent x y ulic esidue; y * P Z * * C Z Z ulics :,, y secets : x Encytion : 1. geneate andom Z 1 2. comute : k x 3. comute : c my m 4. cihetext {k,c} Decytion : x 1. comute k x 1 2. comute ( k ) x 1 x x 3. m' ( k ) c m m 19

20 20 El Gamal (Examle) * Decytion : {10,2} cihetext *5 c k m Encytion : y 9 x 2 13

21 Digital Signatues I did not have intimate elations with that woman,, Ms. Lewinsky Integity Authentication Non-Reudiation Time-Staming Causality Authoization If you like you cuent health insuance lan, you can kee it! 21

22 Digital Signatues A signatue scheme: (P,A,K,Sign,Veify) P - laintext (msgs) A - signatues K - keys Usually message hash Sign - signing function: (P*K)->A Veify - veification function: (P*A*K) à {0,1} 22

23 RSA Signatue Scheme Use the fact that, in RSA, encytion eveses decytion Let n q whee ¹ q ae two (lage) imes eî Z * F( n) Sign( m) : y and e d m Veification : signatue y Veify ( y, m) : ( m d y -1 F(n) ( -1)(q -1) Secets :, q, d Pulics : n, e Signing : message m n e Φ(n) and ed º 1 Φ(n) )??? 23

24 RSA Signatue Scheme (contd) The Good: Veification can e chea (like RSA encytion) Mechanically same as RSA decytion function Secuity ased on RSA encytion Signing is hade ut #veify-s > 1 Deteministic The Bad: Recall that RSA is malleale: signatues can e massaged Phony andom signatues comute YRSA(e,X)X e n X is a signatue of Y ecause Y d X n The Ugly: Signing equies integity! How to sign multile locks? Deteministic needs additional andomization! 24

25 25 El Gamal Signatue Scheme m x m x xk m x c k m c k x k y notice that k y Veifying {k,c} signatue xk m comute : c k comute Z geneate andom Signing x : secets y ulics Z Z A Z P y ulic esidue y ivate exonent x geneato ase, ime lage + ) / / ( 1 1 * * * ) ( :??? : 4. 1 ) ( 3. : :,, : ;

26 26 El Gamal PK Cytosystem m m c k m' k comute comute k Decytion : {k,c} cihetext m my comute : c k comute Z geneate andom Encytion x : secets y ulics Z Z C Z P y ulic esidue y ivate exonent x geneato imitive element, ase, ime lage x x x x x x x ) ( 3. ) ( : :,, : ; * * * * m x m x xk m x c k m c k x k y notice that k y Veifying {k,c} signatue xk m comute : c k comute Z geneate andom Signing x : secets y ulics Z Z A Z P y ulic esidue y ivate exonent x geneato ase, ime lage + ) / / ( 1 1 * * * * ) ( :??? : 4. 1 ) ( 3. : :,, : ; El Gamal Signatue Scheme

27 El Gamal Signatue Scheme (contd) The good: Signing is chea(e) Designed as a signatue function Non-deteministic (andomized) The ad: Need GOOD souce of andom numes Randomizes cannot e evealed (tace) Randomizes cannot e eused 27

28 The Digital Signatue Standad (DSS) Why DSS? RSA issues: atents, malleaility, etc. A vaiant of El Gamal Oiginally fo 512 its, now u to 1024 Otimized fo signatue size (320- vs it) Signing - 1 ex, veification - 2 exs No attacks thus fa 28

29 DSS (contd) lage ime ase, geneato x ivate exonent x y ulic esidue; y * * * P Z, A Z Z ulics :,, y secets : x Signing : 1. geneate andom Z 2. comute : k 3. comute : c ( m xk) 4. signatue {k,c} Veifying : k c y k m * 1 1??? it ime q 160 it ime, ( 1)%q 0 ase, q 1 ( δ ( 1)/q ) x ivate exonent y ulic esidue; y x P Z *, A Z q Z q ulics :, q,, y secets : x Signing : 1. geneate andom Z * q1 2. comute : k ( )q 3. comute : c (m + xk) 1 q 4. signatue {k,c} Veifying : ( mc1 k kc1 )q k??? notice that : mc1 y kc1 m/(m+x ) ( x ) ( /(m+x ) (m+x )/(m+x ) 29

30 Identification Pulic key cytogahy can e also used fo IDENTIFICATION Identification is an inteactive otocol wheey one aty: ove (who claims to e, say, Alice) convinces the othe aty: veifie (Bo) that she is indeed Alice Identification can e accomlished with ulic key digital signatues Howeve, signatues eveal infomation Also, signatues ae tansfeale, i.e., anyone can veify them 30

31 The Cave Analogy of Zeo-Knowledge Point A: enty (V)eifie Claustohoic and afaid of the dak Point B (P)ove Claims to have the key V cannot follow P into the cave Locked doo on oth sides 31

32 The Cave Analogy of Zeo-Knowledge The Potocol: 1) V asks someone he tusts to check that the doo is locked on oth sides. 2) P goes into the maze ast oint B (heading eithe ight o left) 3) V looks into the cave (while standing at oint A) Point A Point B 4) V andomly icks ight o left 5) V shouts (vey loudly!) fo P to come out fom the icked diection 6) If P doesn t come out fom the icked diection, V knows that P is a lia and otocol teminates REPEAT (2)-(6) n TIMES 32

33 Fiat-Shami Identification Scheme In Fiat-Shami, ove has an RSA ulus (factoization is secet). n q Factos themselves ae not used in the otocol. Unlike RSA, a tusted cente can geneate a gloal n, used y eveyone, as long as noody knows its factoization. Tusted cente can foget the factoization afte comuting n. 33

34 Fiat-Shami Identification Scheme Secet Key: Pove (P) chooses a andom value 1 < S < n (to seve as the key) such that gcd(s,n) 1 Pulic Key: P comutes IS 2 n, ulishes (I,n) as his ulic key. Puose of the otocol: P has to convince veifie (V) that he knows the secet S coesonding to the ulic key (I,n), i.e., to ove that he knows a squae oot of I n, without evealing S o any otion theeof 34

35 Pove (Alice) Fiat-Shami Veifie (Bo) n, I, S ick andom R; set xr 2 n I, x n quey 0 1 R R * S n Check that: R 2 x n (RS) 2 xi n 35

36 Fiat-Shami Identification Scheme V wants to authenticate identity of P, who claims to have a ulic key I. Thus, V asks P to convince him that P knows the secet key S coesonding to I. 1. P chooses at andom 1 < R < n and comutes: X R 2 n 2. P sends X to V 3. V andomly equests fom P one of two things (0 o 1): (a) () R o RS n 4. P sends equested infomation 36

37 Fiat-Shami ZK Identification Scheme 5. V checks the coect answe: a) R 2? X ( n) o ) (R*S) 2? X*I ( n) 6. If veification fails, V concludes that P does not know S 7. Potocol is eeated t (usually 20, 30, o log n) times, and, if each one succeeds, V concludes that P is the claimed aty. 37

38 What if Pove knows the challenge ahead of time: Case 0 n, I (doesn t know S) ick andom R; set xr 2 n I, x n quey 0 R Check that: R 2 x n 38

39 What if Pove knows the challenge ahead of time: Case 1 n, I (doesn t know S) ick andom R; set xr 2 *I n I, xr 2 *I n quey 1 R*I n (Instead of: R*S n) Check that: (R*I) 2 x*i n 39

40 Fiat-Shami Identification Scheme CLAIM: Potocol does not eveal ANY infomation aout S o Potocol is ZERO-KNOWLEDGE Poof: We show that no infomation on S is evealed: Clealy, when P sends X o R, he does not eveal any infomation on S. When P sends RS n: RS n is andom, since R is andom and gcd(s, n) 1. If advesay can comute any infomation on S fom I, n, X and RS n he can also comute the same infomation on S fom I and n, since he can choose a andom T R S n and comute: X T 2 I -1 (R ) 2 S 2 I -1 (R ) 2 40

41 Secuity Clealy, if P knows S, then V is convinced of his identity. If P does not know S, he can eithe: 1. know R, ut not RS n. Since he is choosing R, he cannot multily it y the unknown value S o 2. choose RS n, and thus can answe the second question: RS n. But, in this case, he cannot answe the fist question R, since he needs to divide y the unknown S. 41

42 Secuity In any case, advesay cannot answe oth questions, since othewise he can comute S as the atio etween the two answes. But, we assumed that comuting S is had, equivalent to factoing n. Since P does not know in advance (when choosing R o RS n) which question that V will ask, he cannot foesee the equied choice. He can succeed in guessing V s question with oaility 1/2 fo each question. The oaility that V fails to catch P in all uns is thus: 2 -t (e.g., 1 in 1,000,000,000 fo t20) 42

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover